I'm trying to figure out what happened to a web app I was testing today. I was blackbox testing the forum/discussion feature for an online learning app (written in Java) that allows users to post HTML, but has an XSS filter to block known bad HTML tags. I've found some ways to bypass this particular filter before and was testing some new things today. When I input something it doesn't like, I would get an error message like: "Forbidden Content: <evil>Boo</evil>"

Here's the strange part: at some point in my testing, it stopped blocking anything at all. All of the things that it used to flag as "forbidden content" were allowed through. I could use any tag I wanted including the obvious <script>. What would cause this?

One guess is that that the routine is throwing an exception and that the exception is handled by simply returning as if everything is okay, but I don't know why it would do that every time. Would there be a reason for it to maintain state? If it does, I could see it getting so screwed up that it can't run without throwing an exception.

Is there something else it could be doing? I don't have source code to check this and I've never run into a similar error while coding.

It wasn't part of a pen-test, just some independent research. I'm the application admin for the system which is hosted by the vendor. As far as I know, there isn't a way to turn the filter off (on purpose).

It's a production system, but school is out right now so I'm pretty much the only persson on. I've always felt comfortable playing with XSS using a test course where there aren't any real users that I can harm. The side effects I saw today surprised me.

Sounds like Java mischief to me hehe Somehow you either got whitelisted, or disabled the "Anti-XSS Firewall" or whatever happened. You will only be able to know if you debug the application and reproduce your steps, on another IP with fresh (new) cookies too of course.

I think I'm out of luck since I don't have the ability to debug this app. I do know that it's a global issue since the problem persists on other accounts/machines. I really wish I had source code so I could see what the hell they are doing.

It would indeed be interesting to see how on earth such a scenario could be possible, as even I haven't seen it elsewhere. I've seen the opposite, that after like 100 attempts you get blacklisted for a while or permanently, but getting whitelisted out of nowhere allowing all script execution vectors, now that's rare but fun to hear about hehe